import ipa-4.7.90.pre1-3.module+el8.1.0+3389+a3c612fa

.gitignore

@@ -0,0 +1 @@
+SOURCES/freeipa-4.7.90.pre1.tar.gz

.ipa.metadata

@@ -0,0 +1 @@
+a61a3e7f174a021934368252c4773da6238de820 SOURCES/freeipa-4.7.90.pre1.tar.gz

SOURCES/0001-Correct-default-fontawesome-path-broken-by-da2cf1c5.patch

@@ -0,0 +1,30 @@
+From 486ba017ceab1fb240f2fc48fea6169bc8c97319 Mon Sep 17 00:00:00 2001
+From: Adam Williamson <awilliam@redhat.com>
+Date: Wed, 1 May 2019 16:19:53 -0700
+Subject: [PATCH] Correct default fontawesome path (broken by da2cf1c5)
+
+On Fedora/RHEL, it does not have a dash in it. The changes in
+da2cf1c5 inadvertently added a dash to the path in the 'base'
+paths definition (used on Fedora/RHEL), so the font wasn't found.
+
+Signed-off-by: Adam Williamson <awilliam@redhat.com>
+---
+ ipaplatform/base/paths.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
+index 1cd2591bc..e1d396690 100644
+--- a/ipaplatform/base/paths.py
++++ b/ipaplatform/base/paths.py
+@@ -249,7 +249,7 @@ class BasePathNamespace:
+     USERADD = "/usr/sbin/useradd"
+     FONTS_DIR = "/usr/share/fonts"
+     FONTS_OPENSANS_DIR = "/usr/share/fonts/open-sans"
+-    FONTS_FONTAWESOME_DIR = "/usr/share/fonts/font-awesome"
++    FONTS_FONTAWESOME_DIR = "/usr/share/fonts/fontawesome"
+     USR_SHARE_IPA_DIR = "/usr/share/ipa/"
+     USR_SHARE_IPA_CLIENT_DIR = "/usr/share/ipa/client"
+     CA_TOPOLOGY_ULDIF = "/usr/share/ipa/ca-topology.uldif"
+-- 
+2.21.0
+

SOURCES/0001-No-need-to-call-rhel-specific-domainname-service.patch

@@ -0,0 +1,32 @@
+From b3378c32603e83ea3d4651cee3af99e644a30457 Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Fri, 20 Jul 2018 11:06:55 -0400
+Subject: [PATCH] No need to call rhel-specific domainname service
+
+It was moved upstream into hostname package which named it
+nis-domainname. When it was in the initscripts package there were
+separate fedora-domainname and rhel-domainname services.
+
+From F29+ it will be nis-domainname. We can use that as well in
+RHEL 8.
+---
+ ipaplatform/rhel/services.py | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/ipaplatform/rhel/services.py b/ipaplatform/rhel/services.py
+index 1403d08..06fa633 100644
+--- a/ipaplatform/rhel/services.py
++++ b/ipaplatform/rhel/services.py
+@@ -30,9 +30,6 @@ from ipaplatform.redhat import services as redhat_services
+ # to their actual systemd service names
+ rhel_system_units = redhat_services.redhat_system_units
+ 
+-# Service that sets domainname on RHEL is called rhel-domainname.service
+-rhel_system_units['domainname'] = 'rhel-domainname.service'
+-
+ 
+ # Service classes that implement RHEL-specific behaviour
+ 
+-- 
+2.13.6
+

SOURCES/0001-revert-minssf-defaults.patch

@@ -0,0 +1,136 @@
+From 8177734d3b6c141c251c74ee29d223a7d414ab13 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Wed, 1 May 2019 21:25:31 +0300
+Subject: [PATCH] Revert "Require a minimum SASL security factor of 56"
+
+This reverts commit 350954589774499d99bf87cb5631c664bb0707c4.
+---
+ install/share/Makefile.am       |  1 -
+ install/share/min-ssf.ldif      | 14 --------------
+ ipalib/constants.py             |  3 ---
+ ipapython/ipaldap.py            | 17 ++---------------
+ ipaserver/install/dsinstance.py |  5 -----
+ 5 files changed, 2 insertions(+), 38 deletions(-)
+ delete mode 100644 install/share/min-ssf.ldif
+
+diff --git a/install/share/Makefile.am b/install/share/Makefile.am
+index be83bdf75..8d039d95c 100644
+--- a/install/share/Makefile.am
++++ b/install/share/Makefile.am
+@@ -94,7 +94,6 @@ dist_app_DATA =				\
+ 	ipa-kdc-proxy.conf.template	\
+ 	ipa-pki-proxy.conf.template	\
+ 	ipa-rewrite.conf.template	\
+-	min-ssf.ldif			\
+ 	ipaca_default.ini		\
+ 	ipaca_customize.ini		\
+ 	ipaca_softhsm2.ini		\
+diff --git a/install/share/min-ssf.ldif b/install/share/min-ssf.ldif
+deleted file mode 100644
+index 1c2566f84..000000000
+--- a/install/share/min-ssf.ldif
++++ /dev/null
+@@ -1,14 +0,0 @@
+-# config
+-# pretend SSF for LDAPI connections
+-# nsslapd-localssf must be equal to or greater than nsslapd-minssf
+-dn: cn=config
+-changetype: modify
+-replace: nsslapd-localssf
+-nsslapd-localssf: 256
+-
+-# minimum security strength factor for SASL and TLS
+-# 56 is considered weak, but some old clients announce wrong SSF.
+-dn: cn=config
+-changetype: modify
+-replace: nsslapd-minssf
+-nsslapd-minssf: 56
+diff --git a/ipalib/constants.py b/ipalib/constants.py
+index bcf6f3373..c22dd26ae 100644
+--- a/ipalib/constants.py
++++ b/ipalib/constants.py
+@@ -311,9 +311,6 @@ TLS_VERSIONS = [
+ ]
+ TLS_VERSION_MINIMAL = "tls1.0"
+ 
+-# minimum SASL secure strength factor for LDAP connections
+-# 56 provides backwards compatibility with old libraries.
+-LDAP_SSF_MIN_THRESHOLD = 56
+ 
+ # Use cache path
+ USER_CACHE_PATH = (
+diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py
+index d9d67be1d..9ff443fe4 100644
+--- a/ipapython/ipaldap.py
++++ b/ipapython/ipaldap.py
+@@ -43,9 +43,7 @@ import six
+ 
+ # pylint: disable=ipa-forbidden-import
+ from ipalib import errors, x509, _
+-from ipalib.constants import (
+-    LDAP_GENERALIZED_TIME_FORMAT, LDAP_SSF_MIN_THRESHOLD
+-)
++from ipalib.constants import LDAP_GENERALIZED_TIME_FORMAT
+ # pylint: enable=ipa-forbidden-import
+ from ipaplatform.paths import paths
+ from ipapython.ipautil import format_netloc, CIDict
+@@ -105,8 +103,7 @@ def realm_to_ldapi_uri(realm_name):
+     return 'ldapi://' + ldapurl.ldapUrlEscape(socketname)
+ 
+ 
+-def ldap_initialize(uri, cacertfile=None,
+-                    ssf_min_threshold=LDAP_SSF_MIN_THRESHOLD):
++def ldap_initialize(uri, cacertfile=None):
+     """Wrapper around ldap.initialize()
+ 
+     The function undoes global and local ldap.conf settings that may cause
+@@ -117,10 +114,6 @@ def ldap_initialize(uri, cacertfile=None,
+       locations, also known as system-wide trust store.
+     * Cert validation is enforced.
+     * SSLv2 and SSLv3 are disabled.
+-    * Require a minimum SASL security factor of 56. That level ensures
+-      data integrity and confidentiality. Although at least AES128 is
+-      enforced pretty much everywhere, 56 is required for backwards
+-      compatibility with systems that announce wrong SSF.
+     """
+     conn = ldap.initialize(uri)
+ 
+@@ -128,12 +121,6 @@ def ldap_initialize(uri, cacertfile=None,
+     conn.set_option(ldap.OPT_X_SASL_NOCANON, ldap.OPT_ON)
+ 
+     if not uri.startswith('ldapi://'):
+-        # require a minimum SSF for TCP connections, but don't lower SSF_MIN
+-        # if the current value is already larger.
+-        cur_min_ssf = conn.get_option(ldap.OPT_X_SASL_SSF_MIN)
+-        if cur_min_ssf < ssf_min_threshold:
+-            conn.set_option(ldap.OPT_X_SASL_SSF_MIN, ssf_min_threshold)
+-
+         if cacertfile:
+             if not os.path.isfile(cacertfile):
+                 raise IOError(errno.ENOENT, cacertfile)
+diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
+index 8240e3043..9f05db1db 100644
+--- a/ipaserver/install/dsinstance.py
++++ b/ipaserver/install/dsinstance.py
+@@ -324,8 +324,6 @@ class DsInstance(service.Service):
+         else:
+             self.step("importing CA certificates from LDAP",
+                       self.__import_ca_certs)
+-        # set min SSF after DS is configured for TLS
+-        self.step("require minimal SSF", self.__min_ssf)
+         self.step("restarting directory server", self.__restart_instance)
+ 
+         self.start_creation()
+@@ -1243,9 +1241,6 @@ class DsInstance(service.Service):
+             dm_password=self.dm_password
+         )
+ 
+-    def __min_ssf(self):
+-        self._ldap_mod("min-ssf.ldif")
+-
+     def __add_sudo_binduser(self):
+         self._ldap_mod("sudobind.ldif", self.sub_dict)
+ 
+-- 
+2.21.0
+

SOURCES/0002-upgrade-adtrust-when-no-trusts.patch

@@ -0,0 +1,44 @@
+From 528a21996734467be193673e4f987e7e3acc3ad9 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Sat, 11 May 2019 11:54:40 +0300
+Subject: [PATCH] upgrade: adtrust - catch empty result when retrieving list of
+ trusts
+
+Upgrade failure when ipa-server-upgrade is being run on a system with no
+trust established but trust configured
+
+Fixes: https://pagure.io/freeipa/issue/7939
+---
+ ipaserver/install/plugins/adtrust.py | 16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py
+index 6b4e2caa2..cdc3a8b04 100644
+--- a/ipaserver/install/plugins/adtrust.py
++++ b/ipaserver/install/plugins/adtrust.py
+@@ -609,11 +609,17 @@ class update_tdo_to_new_layout(Updater):
+ 
+         trusts_dn = self.api.env.container_adtrusts + self.api.env.basedn
+ 
+-        trusts = ldap.get_entries(
+-            base_dn=trusts_dn,
+-            scope=ldap.SCOPE_ONELEVEL,
+-            filter=self.trust_filter,
+-            attrs_list=self.trust_attrs)
++        # We might be in a situation when no trusts exist yet
++        # In such case there is nothing to upgrade but we have to catch
++        # an exception or it will abort the whole upgrade process
++        try:
++            trusts = ldap.get_entries(
++                base_dn=trusts_dn,
++                scope=ldap.SCOPE_ONELEVEL,
++                filter=self.trust_filter,
++                attrs_list=self.trust_attrs)
++        except errors.EmptyResult:
++            trusts = []
+ 
+         # For every trust, retrieve its principals and convert
+         for t_entry in trusts:
+-- 
+2.21.0
+

SOURCES/freeipa-4.7.90.pre1.tar.gz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEhAodHH8+xLL+UwQ1RxniuKu/YhoFAlzHE98ACgkQRxniuKu/
+YhrICw/8DE6jyt3bnUmzGiXdsV7q1KZUGSIC7GLpvbmewwpUVcXnplHiVCTjrNGI
+jw/jc6y9bIlvqfYNWjAmXNGXyB3AbXweaYRAEzntOHlAmFDlwMXv/D6JL0849/9/
+uRWEefIpHlw/P++WOxm+us7T9h/d6xEe1xY7vaaXVVPjRBewJqddG6ISJgWZ0DSR
+41b/kgOXEvBMOU+gsKCm1fCgKU6KcfwsFq39uSxmTfhKE/578eOUkSAracOwrP2Z
+RePKA4JKqw/Tttl26bgKAkAD8hxJhv6J1MYOSPKp7zssSKw1s1qiPbR6DdJGF/E0
+gqiJwLynZdkkMOsWqHvUK0NDT5LmDdluHBFDle+zupBy1CAE4y1fchsUh910wbRm
+LnrdtkXKUHtE+WGZianMSc1gHCB6EjipHx9iLTrcsGbjz9ziWRb6P6BLgbw2doPG
+mYQVMWBNLQi3gcAjN7IX1+dRWoam+ON/M0GMi5jSplqONBFUj5xwB8LFNV5VfIAu
+zJa0F5V0Qu5XbO7YFoihDcD1OF8fUyKtK+lGa0O/QazR37tl8m5mgYVjDErBx3F+
+ipiB40w+qA1MsJXqdOljoldTvJZCzN+kEJu8aMdQpKcIfkJjKQsrbrh0Ck3cmRHW
+vE3sApyx1p9XvoVtb6lz69B1XJu+Q+Gljlm7JSRLQ3p7GZTT7/Q=
+=5N4+
+-----END PGP SIGNATURE-----